Security researchers on Wednesday disclosed a
set of security flaws that they said could let hackers steal
sensitive information from nearly every modern computing device
containing chips from Intel Corp, Advanced Micro Devices Inc and ARM
Holdings.

… Intel and ARM insisted that the issue was
not a design flaw, but it will require users to download a patch and
update their operating system to fix.

… The first, called Meltdown, affects Intel
chips and lets hackers bypass the hardware barrier between
applications run by users and the computer’s memory, potentially
letting hackers read a computer’s memory and steal passwords. The
second, called Spectre, affects chips from Intel, AMD and ARM and
lets hackers potentially trick otherwise error-free applications into
giving up secret information.

India's
National ID Database With Private Information Of Nearly 1.2 Billion
People Was Reportedly Breached

… The Tribune, a local Indian newspaper,
published a
report claiming its reporters paid Rs. 500 (approximately $8) to
a person who said his name was Anil Kumar, and who they contacted
through WhatsApp. Kumar was able to create a username and password
that gave them access to the demographic information of nearly 1.2
billion Indians who have currently enrolled in Aadhaar, simply by
entering a person’s unique 12-digit Aadhaar number. Regional
officers working with the Unique Identification Authority of India
(UIDAI), the government agency responsible for Aadhaar, told the
Tribune the access was “illegal,” and a “major national
security breach.”

A second
report, published on Thursday by the Quint, an Indian news
website, revealed that anyone
can create an administrator account that lets them access the Aadhaar
database as long as they’re invited by an existing administrator.
[Think: Hackers
inviting hackers. Bob]

If you were part of a Department of Homeland
Security Office of the Inspector General investigation at some time
between 2002 through 2014, DHS wants you to know that you may be a
breach victim. Unfortunately, due
to “technological” issues, it seems that DHS can’t directly
contact you to alert you, so read on…..

A few more details have emerged in the matter of a
breach involving the Department of Homeland Security. The
breach, which involved the May discovery of an unauthorized copy of
DHS’s investigative case management system in the possession of a
former DHS OIG employee, was first reported in November by USA
Today.

Joseph Marks reports
that the Inspector General has now confirmed that the breach affected
more approximately 247,167 DHS employees, but DHS has now also
revealed that the breach impacted non-employees who contacted or
interacted with the department: “individuals (i.e., subjects,
witnesses, and complainants) associated with DHS OIG investigations
from 2002 through 2014 (the “Investigative Data”).”

The privacy incident did not stem from a
cyber-attack by external actors, and the evidence indicates that
affected individual’s personal information was not the primary
target of the unauthorized exfiltration.

But of course, there are lots of raised eyebrows
that the agency responsible for protecting our homeland from
terrorist attacks and the like had an insider breach that went
unprevented and undetected until May of this year. In
response to the incident, DHS notes:

The Department of Homeland Security takes
very seriously the obligation to serve the Department’s employees
and is committed to protecting the information in which they are
entrusted. Please be assured that we will make every effort to
ensure this does not happen again. DHS
is implementing additional security precautions to limit which
individuals have access to this information and will better identify
unusual access patterns. We will continue to review our
systems and practices in order to better secure data. DHS OIG has
also implemented a number of security precautions to further secure
the DHS OIG network.

Will their changes also enable them to identify
and notify any non-employees who might get caught up in any future
breaches? Shouldn’t the agency have some way of doing that unless
someone was a confidential witness who did not provide their real
details in dealing with the agency – or something like that?

The Security implications are clear, but there are
also significant Data Management challenges. Hint: Every
Presidential Tweet is an “Official Record.”

In the age of rapid advances in data science and
artificial intelligence, many organizations still struggle to
incorporate advanced analytics capabilities into their business
models. True incorporation requires bold decisions about
reorganizing the business to make analytics a key component of
strategy. Here we present the case of Grupo Financiero Banorte
(GFNorte), a large Mexican financial group, where the analytics
transformation has been a success story.

… GFNorte recently established a Central
Analytics Business Unit (ABU) with the mandate to convert information
into profits at a rate of 10X cost and to lead the adoption of a
customer-centric approach within the organization. The results
significantly exceeded expectations: In its first year the ABU
yielded profits 46X its costs, in the second year 106X (equivalent to
$275 million of net income), and during its third year it is on
course to produce 200X. These results, along with other
transformational initiatives, have contributed to GFNorte
leapfrogging its competitors within three years to attain second
place in profit generation (up from fourth) in the Mexican financial
system.

Links

About Me

I live in Centennial Colorado. (I'm not actually 100 years old., but I hope to be some day.) I'm an independant computer consultant, specializing in solving problems that traditional IT personnel tend to have difficulty with... That includes everything from inventorying hardware & software, to converting systems & data, to training end-users. I particularly enjoy taking on projects that IT has attempted several times before with no success. I also teach at two local Universities: everything from Introduction to Microcomputers through Business Continuity and Security Management. My background includes IT Audit, Computer Security, and a variety of unique IT projects.